The head of the UK’s new National Cyber Security Centre (NCSC) has detailed plans to move the UK to "active cyber-defence", to better protect government networks and improve the UK’s overall security.
The strategy update by NCSC chief exec Ciaran Martin comes just weeks before the new centre is due to open next month and days after the publication of a damning report by the National Audit Office into the UK government’s current approach to digital security.
Martin called for the "development of lawful and carefully governed offensive cyber capabilities to combat and deter the most aggressive threats".
Active cyber defence means hacking back against attackers to disrupt assaults, in US parlance at least. Martin defined the approach more narrowly as "where the government takes specific action with industry to address large-scale, non-sophisticated attacks".
During his speech at the Billington Cyber Security Summit in Washington DC, NCSC's Martin also floated the idea of sharing government network security tools such as DNS filters with private-sector ISPs, as previously reported.
Security vendors praised the UK government's more pro-active approach to cybersecurity, arguing it’s (if anything) overdue.
“The Government is right to look for innovative ways to disrupt organised cybercrime,” said Paul Taylor, partner and UK Head of cyber security at management consultants KPMG. “It’s crucial that we stay one step ahead of attackers and that takes constant innovation and coordination. No one is immune from cyber-attacks but UK small businesses are especially vulnerable as the reality is that many struggle to deal with an onslaught of ransomware and cyber enabled frauds.”
Taylor also backed the greater sharing of information security intelligence, a key plank in the NCSC’s policy that’s viewed with suspicion by privacy advocates*.
“A new partnership between Government and industry is needed to protect our society, take the offensive against criminals, and work together to disrupt digital crime,” Taylor explained. “At the moment many companies are reluctant to share information on attacks they’ve suffered, we need to build a safe space for Government and industry to share intelligence so that we have the best chance of tackling cybercrime.”
Matt Walker, VP Northern Europe, HEAT Software, noted that stronger defences were needed as government services such as universal credit become available online.
“The protection of citizens’ information from the threat of cyber-attack needs to become a higher priority for central and local government as we continue to move more and more interaction online,” Walker said. “The universal credit system alone will pay out seven per cent of UK GDP– making it a target for online fraud. Equally, the ransomware attack that locked Lincolnshire County Council out of its own systems for days had repercussions for mission-critical services such as health and social care.”
The NCSC will act as a hub for sharing best practices in security between public and private sectors as well as taking a lead role in national cyber incident response. The organisation will report to GCHQ, the signals intelligence agency.
*The US's Cybersecurity Information Sharing Act was bitterly but ultimately unsuccessfully opposed by privacy activists.